[image] Add a sanity check to JPEG encoder buffer handling.

master
Fedor 2020-07-16 03:49:46 +03:00
parent ef217a94a8
commit c8fc4f8bb5
1 changed files with 8 additions and 3 deletions

View File

@ -8,6 +8,7 @@
#include "nsString.h"
#include "nsStreamUtils.h"
#include "gfxColor.h"
#include "mozilla/CheckedInt.h"
#include <setjmp.h>
#include "jerror.h"
@ -430,10 +431,14 @@ nsJPEGEncoder::emptyOutputBuffer(jpeg_compress_struct* cinfo)
that->mImageBufferUsed = that->mImageBufferSize;
// expand buffer, just double size each time
that->mImageBufferSize *= 2;
uint8_t* newBuf = nullptr;
CheckedInt<uint32_t> bufSize =
CheckedInt<uint32_t>(that->mImageBufferSize) * 2;
if (bufSize.isValid()) {
that->mImageBufferSize = bufSize.value();
newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize);
}
uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
that->mImageBufferSize);
if (!newBuf) {
// can't resize, just zero (this will keep us from writing more)
free(that->mImageBuffer);